Gitorious 2.4.6 has just been released, and all Gitorious servers should be updated immediately. This release brings Gitorious up to Rails version 2.3.16, which solves a severe vulnerability in Ruby on Rails. There’s more information about this vulnerability on the Ruby on Rails security mailing list. This release also fixes the less severe CVE-0155 from two weeks ago.
To upgrade to this version, follow one of the three following alternative fixes
If you’re running from a release in the 2.4 branch of Gitorious:
To upgrade a server running one of the releases in the 2.4 series of Gitorious, follow these steps:
- git fetch origin
- git merge v2.4.6
- bundle install
- touch tmp/restart.txt (assuming you’re using Passenger. For non-Passenger deployments, restart your application server like you normally do)
If you’re running from the next branch of Gitorious (Rails 3)
Guess what, you’re off the hook. This vulnerability does not affect Rails 3.2, which Gitorious 3 is built on.
If you’re running neither of the versions above:
If your server is not running from a version that can be upgraded, you can secure your server by following these manual steps
- create the file config/initializers/fix_cve_2013_0333.rb inside your Gitorious installation with this content:
ActiveSupport::JSON.backend = "JSONGem"
- restart your application server